Sending Argus Data to ArcSight

Carter Bullard carter at qosient.com
Mon Jan 14 12:01:27 EST 2013 

Hey John,
The design of argus's data flow architecture would want you to implement some form of
near real-time analytic in something like radium, which would add a label that indicated
your state (" rogue server ", " rogue server with data "), and then you configure the
Smart Connector to attach to the radium, with a filter for " rogue ", and whatever you 
were looking for.  Voila, it goes into arcsight, printing the label as a field.

I can help you with this type of radium.  It already does labeling, it just needs some additional
" Streaming Analytics " support  to provide the flexibility to change analytics.

If you care to work on this on the list, I'm game !!!!

Carter

On Jan 14, 2013, at 11:50 AM, John Kennedy <wilson.amajohn at gmail.com> wrote:

> The type of data I am sending to ArcSight is network flow data.  What I am trying to do with that information in ArcSight is identify rogue servers that could potentially be storing or transmitting regulated data not under my purview. I am still researching ways to identify these types of systems. 
> 
> The installation of the SmartConnector on the Argus host was not too difficult. Upon installation, the SmartConnector asks for a path to ra and a path to an ra.conf file.  I re-named the rarc file to ra.conf and made the recommended changes to the timestamp in the conf file.  Once the connector was started, I saw data immediately.   
> 
> 
> John
> 
> On Sun, Nov 25, 2012 at 3:20 PM, Dave Edelman <dedelman at iname.com> wrote:
> John,
> 
>  
> 
> I have quite of bit of data that I collect and process using Argus and the clients and some of that ends up in CEF format for ingestion by ArcSight. I don’t have any SmartConnectors that deal directly with Argus data.
> 
>  
> 
> It would be helpful to have a few more details about the type of data you would be sending to ArcSight and even more important than that, how you would be using the data. SIEM  products frequently end up being repositories for huge amounts of data and miniscule amounts of information if they don’t have adult supervision.
> 
>  
> 
> --Dave
> 
>  
> 
>  
> 
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of John Kennedy
> Sent: Wednesday, November 21, 2012 2:14 PM
> To: Argus
> Subject: [ARGUS] Sending Argus Data to ArcSight
> 
>  
> 
> All,
> 
>  
> 
> Does anyone have any experience setting up an ArcSight SmartConnector for Argus?  I am curious how it is working out in your environment as well as if there is any impact to ArcSight. 
> 
>  
> 
> Thanks
> 
>  
> 
> John
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130114/e08cba52/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130114/e08cba52/attachment.bin>

More information about the argus mailing list